At MC Physiotherapy, we are fully committed to safeguarding the privacy of our patients and website visitors. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable laws in Cyprus. By using our services or interacting with us via our website at www.mcphysiocy.com, by email, phone, or in person, you acknowledge and accept the practices described herein.

MC Physiotherapy operates as a private physiotherapy practice based in Peyia, Paphos, Cyprus. The data controller responsible for your personal information is MC Physiotherapy Ltd, located at 68 Michalaki Kyprianou, Peyia, Paphos, 8560, Cyprus. You may contact us directly at mcphysio.cy@gmail.com or by calling +357 95 525 205 if you have any questions about how your data is handled.

We collect and process personal information that is necessary to provide effective physiotherapy services. This may include your full name, contact details such as your email address and phone number, date of birth, residential address, and emergency contact information. In the course of treatment, we also collect special category data, specifically health-related information. This includes medical history, records of previous injuries or surgeries, clinical assessments, diagnostic outcomes, treatment plans, and any referrals received from general practitioners or other specialists. If you contact us via our website or use our online booking system, we may also collect communication details, your IP address, and basic browser information for administrative and security purposes.

Your personal and medical data is used exclusively for the provision of physiotherapy treatment and associated healthcare services. This includes creating and maintaining clinical records, managing appointments, communicating with you regarding your care, and ensuring compliance with any applicable insurance or legal requirements. Occasionally, we may use your contact information to send appointment reminders or follow-up instructions related to your treatment, either by phone, email, or SMS. We do not use your data for marketing purposes unless you have explicitly opted in, and we do not engage in automated decision-making or profiling.

Our legal basis for processing your personal information depends on the specific context in which we collect it. Where you have booked treatment with us, processing is necessary to perform our contractual obligations. In other cases, we may process your data based on your informed consent or to comply with legal obligations imposed by health or professional authorities. The processing of special category health data is carried out under Article 9(2)(h) of the GDPR, which permits the handling of sensitive data for the provision of healthcare and treatment.

We are committed to ensuring that your information is secure. Health records and electronic files are stored in encrypted or password-protected systems, with access strictly limited to authorised personnel. Paper records, where applicable, are kept in locked, secure locations. We also take measures to ensure our online forms, communications, and scheduling systems are secure, regularly updating our protocols to reduce the risk of unauthorised access.

We will never sell, rent, or distribute your personal information to third parties. However, in specific situations, it may be necessary to share limited data with other professionals or organisations. This includes circumstances where you have consented to a referral, when data must be provided to insurance companies supporting your treatment costs, or when we are required by law or regulatory authorities to disclose certain information.

Your personal information will be retained only for as long as necessary. Clinical records are held for seven years following the date of your last treatment. In the case of minors, records are held until the individual reaches the age of 25, in line with healthcare retention standards. If you make an enquiry but do not commence treatment, any communication or data shared with us will be deleted after a period of twelve months.

As a data subject under GDPR, you have several important rights. You have the right to request access to any data we hold about you, to ask for corrections to inaccurate or incomplete information, and to request the erasure of data where appropriate. You may also object to or request restrictions on how we process your data in certain circumstances. If we are relying on your consent to process any data, you have the right to withdraw that consent at any time. Any such requests can be submitted in writing to mcphysio.cy@gmail.com, and we will respond promptly.

If you believe your data protection rights have been violated, you also have the right to lodge a complaint with the Commissioner for Personal Data Protection in Cyprus.

We reserve the right to update this Privacy Policy from time to time to reflect changes in our legal obligations or internal procedures. Any revisions will be posted on our website, and where appropriate, we will inform you directly.

For any questions or concerns regarding this policy or your personal data, please do not hesitate to contact us.